apiVersion: audit.k8s.io/v1
kind: Policy
omitStages: ["RequestReceived"] # 省略请求接收阶段（减少日志量）
rules:
  # 根据名称空间启用详细审计
  #- level: RequestResponse
  #  namespaces: ["production"]
  #- level: Metadata
  #  namespaces: ["staging"]

  # 规则：忽略健康检查、系统账号、只读操作等
  - level: None
    nonResourceURLs: ["/healthz*", "/livez*", "/readyz*", "/metrics", "/version"]
  - level: None
    users:
      - "system:kube-proxy"
      - "system:kube-scheduler"
      - "system:kube-controller-manager"
      - "system:node:*"
      - "system:serviceaccount:rocketmq:rocketmq-operator"
      - "system:serviceaccount:openebs:openebs-localpv-provisioner"
      - "system:serviceaccount:kb-system:kubeblocks"
  - level: None
    verbs: ["get", "list", "watch"]
    resources:
      - group: ""
        resources: ["endpoints", "services/status"]
  
  # 规则：记录敏感资源
  - level: RequestResponse
    verbs: ["create", "update", "patch", "delete"]
    resources:
      - group: ""
        resources: ["secrets", "configmaps"]

  # 对 ServiceAccount 的变更
  - level: RequestResponse
    verbs: ["create", "update", "patch", "delete"]
    resources:
      - group: ""
        resources: ["serviceaccounts"]

  # RBAC 变更（Role/ClusterRole/RoleBinding/ClusterRoleBinding）
  - level: Request
    verbs: ["create", "update", "patch", "delete"]
    resources:
      - group: rbac.authorization.k8s.io
        resources: ["roles", "clusterroles", "rolebindings", "clusterrolebindings"] 
 
  # 规则：记录Namespace变更
  - level: Metadata
    verbs: ["create", "delete"]
    resources:
      - group: ""
        resources: ["namespaces"]
  
  # 规则：记录工作负载写操作
  - level: Metadata
    verbs: ["create", "update", "patch", "delete"]
    resources:
      - group: apps
        resources: ["deployments", "daemonsets", "replicasets", "statefulsets"]
      - group: ""
        resources: ["pods", "pods/log", "pods/exec"]
  
  # 规则：记录审计策略修改
  - level: Request
    verbs: ["create", "update", "patch", "delete"]
    resources:
      - group: "audit.k8s.io"
        resources: ["policies"]
